CVE-2025-12156
BaseFortify
Publication date: 2025-11-04
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | 2.0.7 |
| wordpress | wordpress | 2.2.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT) All in One plugin for WordPress, versions 2.0.7 to 2.2.6. It is caused by a missing capability check in the save_post_data() function, which allows authenticated users with Subscriber-level access or higher to modify data without proper authorization. Specifically, these users can create and publish arbitrary posts even if they should not have permission to do so.
How can this vulnerability impact me? :
The vulnerability allows attackers with low-level authenticated access (Subscriber or above) to create and publish arbitrary posts on the WordPress site. This can lead to unauthorized content being published, potentially damaging the site's integrity, reputation, and trustworthiness. It could also be used to distribute malicious content or misinformation.